PaulDotCom Security Weekly - Episode 344 for Thursday September 5th, 2013
- We've released a book on Offensive Countermeasures! Visit tinyurl.com/OCM-Amazon to add this to your summer reading list.
- We are looking for sponsors for our September webcast. Contact mike -at- hacknaked.tv for details!
- The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 9:00PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!
Guest Interview: Richard Stiennon
Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He relaunched the security blog ThreatChaos.com and is the founder of IT-Harvest.
- How did you get your start in information security?
- How do you recommend others get their start in information security?
- We talk a lot about the state of the security industry, few are hopeful, some are depressed, where are we and where are we going?
- Will security be merged with IT for good?
- How has the latest information about NSA spying impacted the industry?
- There are obvious differences between boots on the ground and cyberwar, are there parallels between the two?
- How has technology changed warfare or has warfare changed technology?
- Is privacy dead? Did we kill it? Is there a way to gain some of our privacy rights back?
- Are firewalls still useful? Can't we just harden the systems instead? What keeps the firewall alive?
- What is Big data and how does it tie into information security?
- What is the current state of information sharing between governments, large corporations, and other entities such as CERT?
- Is there a market for anti-virus software on mobile devices? How do we solve the BYOD problem, or do we?
- What are some examples of "cyberwar" and which have had the most impact between warring states?
- In order to defend our organizations, what are the major changes that we need to make that differ from what most are doing today?
- Three words to describe yourself
- If you were a serial killer, what would be our weapon of choice?
- In a game of ass grabby-grabby do you prefer to go first or second?
- If you wrote a book about yourself, what would the title be?
- Stranded on a desert island, which tablet would you bring with you if you could choose only one: Android, iPad or Surface?
Tech Segment: John Strand
- Stuxnet Expert Proposes New Framework For ICS/SCADA Security
- "NSA Laughs At PCs
- "22 Years Later
- Stop treating your datacentre as if it were a laptop: Symantec
Patrick's Stories from far away
- FinFisher is a new spy tool recently revealed that was only supposedly for governments to spy on whoever they wanted. But now it's out in the open and available to anyone with the means, and it seems somewhat nasty. "It is able to recover WEP passphrases within 2 to 5 minutes, and can break WPA1 and WPA2 passphrases with a dictionary attack. It can remotely break into email accounts, and can *for both wired and wireless* "extract usernames and passwords even for SSL/TLS-encrypted sessions like Gmail, Hotmail, Facebook, etc" it "can even infect switched off target systems when the hard disk is fully encrypted with TrueCrypt." it "can be integrated by a local ISP to inject the module into Gmail or Youtube when the victim accesses those 'trusted' sites." Mikko Hypponen also had a presentation on it.
- If you want to get back into the DNS attack things and people needing to lock their domains, DarkReading talks about how you can't just "set it and forget it", you also still need to worry about the quality of your registrar and whether your people can *still* be SE'd out of giving up their credentials.
- Australians are going to have to "opt out" in order to watch porn Another still-evolving story of government misunderstanding the Internet.
- Here's one that I'm digging into Mike Shema at Qualys might have a fix for Cross Site Request Forgery. yeah, it'll require yet another header in the browser, but is that better than trying to get millions of developers to properly use ESAPIs or figure out how to write secure tokens? It may have some legs.
- Oracle tries to help people with Java security warnings, but Krebs says it may make it worse if anyone can actually spoof the same warnings that Oracle uses.
- Schneier on the NSA breaking "all internet encryption" Story has been covered to death, but worth highlighting this quote: "Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted."
- It was supposed to be a joke but when RSnake tried to make a funny web security infographic it turned ugly. Good blog post accompanies the graphic.
- The Five-Guys method of security a thought-provoking post from Gunnar Peterson
- Burp just got a new update Looks like there's a lot of nifty new features, so be sure to update if you use it. I'll be looking at this more in the upcoming weeks.
- Trendnet ruling heralds crackdown on insecure home webcams Good. Just as the government penalizes companies for making defective and dangerous products, companies need to be held to task for creating insecure products. While security can be hard, webcam manufacturers weren't even trying.